Date: Thu, 21 Jun 2012 09:32:18 +0200 From: Damien Fleuriot <ml@my.gd> To: n dhert <ndhertbsd@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: apache PHP suhosin load Message-ID: <F8A9D3A9-6825-4EFB-9B56-1D5C21143C1D@my.gd> In-Reply-To: <CAEFCw4uyugX6t2PEJREVZMRCnKhmBz81QXS2MGvYBX3O6-HWaQ@mail.gmail.com> References: <CAEFCw4uyugX6t2PEJREVZMRCnKhmBz81QXS2MGvYBX3O6-HWaQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21 Jun 2012, at 08:34, n dhert <ndhertbsd@gmail.com> wrote: > On FreeBSD 8.3 I have apache22 web server with PHP. PHP is PHP52 for > compatibility with existing applications, but the most recent version > in the php52 branch > $ php --version > PHP 5.2.17 with Suhosin-Patch 0.9.7 (cli) (built: May 7 2012 08:45:58) >=20 >> =46rom time to time, I notice in a top output, that a huge number of http= d > daemons are being started, making the load rapidly increase to levels of > 5, 10, 15, ... and very slow interactive respons ... >=20 > Stopping apache makes the load rapidly decrease to a normal level. >=20 > I noticed at the console, at stopping apache, several messages such as >=20 > Jun 14 09:12:20 macos kernel: Jun 14 09:12:20 macos suhosin[28824]: ALERT -= > canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR= > not set', file > '/home/wins/win/win/www/wiki/mediawiki-1.16.0/includes/AutoLoader.php', > line 654) >=20 > (the file value differs, but it's always "suhosin .. canany mismatch > - heap overflow detected") > My PHP has following options set > # cd /usr/ports/lang/php52 >=20 > My PHP has following options set > # cd /usr/ports/lang/php52 > # make showconfig > =3D=3D=3D> The following configuration options are available for php52-5.2= .17_8: > CLI=3Don: Build CLI version > CGI=3Don: Build CGI version > APACHE=3Don: Build Apache module > DEBUG=3Doff: Enable debug > SUHOSIN=3Don: Enable Suhosin protection system (not for jails) > MULTIBYTE=3Doff: Enable zend multibyte support > IPV6=3Don: Enable ipv6 support > MAILHEAD=3Doff: Enable mail header patch > REDIRECT=3Doff: Enable force-cgi-redirect support (CGI only) > DISCARD=3Doff: Enable discard-path support (CGI only) > FASTCGI=3Don: Enable fastcgi support (CGI only) > FPM=3Doff: Enable fastcgi process manager (CGI only) > PATHINFO=3Don: Enable path-info-check support (CGI only) > LINKTHR=3Doff: Link thread lib (for threaded extensions) >=20 > Is that heap overlow causing the trouble? Has suhosin to do something with= > it? > How to solve? >=20 For starters, I would suggest moving away from apace and towards nginx + fas= tcgi php. A friend had a small dedicated server with a vbulletin forum overloaded with= addons, and apache/php were bringing the server to "high" load levels, 10-2= 0ish. I've moved him to nginx and the server hardly ever goes above 1 now. Additionally, nginx is immune to Slowloris attacks, while apache is not. Only after migrating to nginx would I investigate of the suhosin problem sti= ll exists.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F8A9D3A9-6825-4EFB-9B56-1D5C21143C1D>